Onion ransomware developers keep releasing new virus versions

Onion virus belongs to the group of file-encrypting viruses called ransomware [1] which encode files and present 72-hour elapsing time clock to make the payment. It presents its unique email address – ttk@ruggedinbox.com for the victims to contact in case they wish to get back the access to their encrypted files.

The infection has been affiliated with infamous CryptoLocker and Dharma ransomware ransomware families [2] which suggests this parasite is not just a random PC threat, but a potentially destructive virus which you must banish from your PC as soon as possible. Luckily, this article is dedicated to helping people remove Onion from their computers, so you can start the elimination process immediately. You will find useful suggestions on how to do it safely at the end of the article.

The malware targets PDF, XLS, PPT, DOCT, TXT, JPEG, JPEG, and JS file types and encodes them with RSA-21024 algorithm. After successful data encryption, the user finds MW_ IN FILES.txt or KK_ IN YOUR DOCUMENTS.txt ransom files in every folder. They instruct how to access To2Web network, purchase 3 bitcoins (3754.12 USD) and transfer them to the given bitcoin address.

Once the payment is made, the user is provided with a unique code and has to send it to indicated email address. According to the ransom note, victims should obtain the decryption key. However, there are few reports about the returned data. If you get tempted to download Onion Decrypter, you might inflict more severe changes to the computer. Even if the decryption software decodes the files, it may leave corrupted files on the system which, later on, “detonate” themselves and facilitate Onion hijack. It's not recommended to pay the ransom as you only encourage hackers to continue their misdeeds. There are no guarantees that they will play fairly.

Recently, discussions flared up again as one after the other new derivative versions of the malware including OnyonLock, Gebdp3k7bolalnd4.onion, help@onyon.info started to emerge on the web. These viruses were quite independent, though. For instance, .onion file extension virus version which showed in 2014, drew experts attention for its tendency to disguise its Command and Control server with the help of Tor network[3]. At the time, such feature was quite unusual. Within time, the virus subsided. However, not for long. it has been spotted again spreading in the new form. However, the latter improved version is not fully analyzed, which prevents from creating an effective decrypter. Nonetheless, we do not recommend you to nurture hopes on data-recovery as there are few chances that the hackers will return the files. Therefore, it is better to focus on Onion removal. One of the solutions is to rely on Reimage or Malwarebytes Anti Malware.

Onion virus versions:

.onion file extension virus. Is the latest variant of Onion ransomware. It spreads around the web similarly to its predecessors (via spam mail, exploit kits, malicious javascripts and various phishing schemes). Once on the computer, the virus starts scanning it for predetermined types of files and encrypts them using AES ciphering key. Filenames of the affected files will have appended .onion file extensions. Besides, the extensions will also feature an email address, typically its the felix_dies@aol.com. Finally, in the last stage of the hijack, the ransomware drops a .txt, .hta, .jpg or similar files on the computer. These are the ransom notes which explain how to the victims can recover their files. In particular, the victims are instructed to contact the criminals via email address features in the file extensions.

OnyonLock virus.This is yet another malicious parasite belonging to the Onion virus family. When it makes its way on the computer, this virus targets specific types of files, enciphers their contents using strong encryption algorithm and appends them with .onyon exensions. It drops a note called !#_DECRYPT_#!.inf on the victim's computer, once the encryption process is finished. The note is meant to inform the victims of the ransomware attack about what happened to their computers and how they can step out of the unfavourable situation. The victims are urged to contact the criminals as soon as possible, as the criminals promise to lower the data decryption price for those who reach out to them quicker. Decrypter@onyon.su and tk.btcw@protonmail.ch email addresses are typically associated with the virus.

Gebdp3k7bolalnd4.onion virus.The virus is a relatively new Onion ransomware follow-up which is also known by the name of Cry128 ransomware. Following the footsteps of its predecessors, this parasite appends files with different extensions to indicate that they have been encrypted. We can find versions adding .onion._, .onion.to._ ext. Js, and gebdp3k7bolalnd4.onion._, which also has been used when labelling this threat. Following the infiltration and data encryption, virus drops a .html or GUI files on the infected computer's desktop. These files provide instructions which the victim has to follow in order to be able to access encrypted files again. We should warn you that paying the ransom does not guarantee anything, meaning you might be left without your files and your money if the hackers decide to do so.

help@onyon.info virusis another version of the Onion virus which appends [help@onyon.info].master extensions to the encrypted files. The email address featured in this extension placed there by the cyber criminals on purpose. It serves a double purpose. First, it helps indicate what specific version of the malicious virus family has encrypted the victim's computer and second, it points to where the victims might find information about the data recovery. Most likely, though, the victims will contact the perpetrators via this address only with their ransom payment applications as all data recovery instructions are listed in a separate document — a ransom note called “!#_RESTORE_FILES_#!”.

Methods of ransomware dispersion

Like any other ransomware, Onion ransomware tends to spread via exploit kits[4], spam email attachments[5], illegal websites and so on. According to the recent malware research, the virus spreads in the disguise of ZIP file attachment of spam email. Such email messages are supposedly brought by various authorities and presented as invoices, tax fees, and other important documents. Verify the sender and only then review the content.

Furthermore, avoid visiting illegal websites, clicking on the pop-ups that offer to update Java, Flash Player, Media Player or another software out of nowhere. File-sharing, specifically, torrent sharing domains often get compromised with malware, such as exploit kits. In order to reduce the risk of getting infected with them, install Reimage or Malwarebytes Anti Malware. They are also practical tools in dealing with other sorts of malware. Now let us move on to the final section which explains how to remove Onion.

Experts' advice on Onion virus removal

Despite how menacing ransomware seizes the device, it is crucial to put an end to the malware right away. Thus, remove Onion virus with the assistance of malware elimination tool. Do not get surprised if the device may not be fully responding. Malware may modify registry files which result in non-responding functions. In that case, the below guide will come in handy. Bear in mind that Onion removal must be completed in order to advance to another stage. You may also interfere with the malware processes, by completing its initiated tasks in the Task Manager.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Onion ransomware you agree to our privacy policy and agreement of use.

Reimage is recommended to uninstall Onion ransomware. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Onion removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Make use of ShadowExplorer

Follow a Shadow Explorer Setup Wizard and install this application on your computer;

Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;

Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Onion Decrypter

Since it is related to Dharma virus, you may succeed in decrypting the data with Dharma Decryptor. On the other hand, taking into account its updated features, there are no guarantees that the former option will work out.